I run the gnome desktop environment, so gnome-keyring is enabled by default. I do not want gnome-keyring to remember the passwords to my ssh-keys. Or at least I do not want it to remember the passwords forever, maybe set a timeout for 5 minutes or something. I searched through the NixOS options, but did not see anything obvious to accomplish this. The only thing I found was enable option, but when I disabled this it conflicts with enabling the gnome desktop environment. I also looked through the home-manager option, where I removed ssh from the following option, but this does not seem to have changed the behavior.
services.gnome-keyring.components =["pkcs11" "secrets"];
Maybe it’s due to gnome desktop environment starting systemd system level unit, whereas home-manager start systemd user level unit?
The home-manager module creates a new systemd user service that starts the requested components but you need to enable it with services.gnome-keyring.enable = true in your home-manager configuration.
But since the GNOME NixOS module enables the gnome-keyring module by default, it will still start the ssh component. And because gnome-keyring currently uses XDG autostart files instead of systemd services, it is not possible to nicely disable it.
You could try force-disabling the NixOS module using services.gnome.gnome-keyring.enable = lib.mkForce false; in NixOS configuration but that will likely break something – many GNOME apps expect GNOME Keyring services to be available and the module does some things not done by home-manager. So you should probably leave the home-manager option alone, it is mainly meant for non-GNOME desktop environments.
If the recommendation on the Arch wiki is correct, you should be able to mask the autostart file, and change SSH_AUTH_SOCK environment variable, though.
Relevant issue: Allow setting `gnome-keyring` components · Issue #166887 · NixOS/nixpkgs · GitHub
If you’re able to set SSH_AUTH_SOCK, it will always override the GKR agent. Clients use that env variable to find the agent.